Accidentally created branch on github mirror (it has been undone, but sharing for disclosure)

268 views
Skip to first unread message

Dmitri Shuralyov

unread,
Aug 10, 2017, 2:22:50 PM8/10/17
to golang-dev
Hi,

I have just recently (~10 mins ago) performed an action unintentionally. I've undone this action, and I believe it's completely harmless. But this is a little post-mortem for these reasons:

- disclosure, in case someone noticed and weren't sure what happened
- heads up, in case you run into this situation too.
- to owe up to my mistake, even though I believe it's harmless, it was not intentional

The action:

In the Go repository mirror on GitHub (i.e., https://github.com/golang/go), I've (unintentionally) created a git branch named "go1.8.3" pointing to the latest master commit at the time (352996a381701cfa0c16e8de29cbde8f3922182f). That branch shouldn't exist, and didn't exist before I created it. I've since removed it.

How it happened:

I wanted to see the Go repository at tag go1.8.3, so I visited https://github.com/golang/go. I was in the flow and moving quickly. I clicked on the "branch" dropdown box, as I often do:


Then I started typing "go1.8.3" and pressed enter before realizing that it would not do what I intended:


Because I have GitHub access (so I can help garden issues), and because the branch didn't exist, the default action was to create it rather than to switch to an existing one. I moved quickly and forgot it's a tag rather than a branch.

Followup:

I have deleted the new branch I've unintentionally created from the GitHub mirror of the Go repository and wrote this up to avoid any confusion.

Chris Broadfoot

unread,
Aug 10, 2017, 3:39:39 PM8/10/17
to Dmitri Shuralyov, golang-dev
On Thu, Aug 10, 2017 at 11:22 AM, Dmitri Shuralyov <shur...@gmail.com> wrote:
Because I have GitHub access (so I can help garden issues), and because the branch didn't exist, the default action was to create it rather than to switch to an existing one. I moved quickly and forgot it's a tag rather than a branch.

Can we prevent this by removing write access to the repo to everyone except the bot?

Or is this required to give access to issues/wiki?

Dmitri Shuralyov

unread,
Aug 10, 2017, 3:45:19 PM8/10/17
to golang-dev, shur...@gmail.com
As far as I know, on GitHub, having push rights to the repository is unavoidable in order to be able to do things like:

- close/reopen issues other than ones you've created yourself
- apply labels to issues
- assign issues

Basically, there's only 4 tiers of access: read, write, admin, "owner". Write comes with ability to operate on issues, but also git push rights. See https://help.github.com/articles/repository-permission-levels-for-an-organization/.

Russ Cox

unread,
Aug 10, 2017, 3:57:28 PM8/10/17
to Dmitri Shuralyov, golang-dev
Thanks for letting us know. 

Note also that we do not encourage anyone to pull from github.com/golang/go: the official source of truth is go.googlesource.com/go. Having the code copied onto Github just helps browsing, such as jumping from an issue to a commit. 

Also, if you hadn't deleted the branch, I believe the next force push from the Gerrit copy to Github would have blown it away.

Russ
 

--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages